Encoded WebService SOAP Header?

Discussion in 'ASP .Net Web Services' started by Andrew Robinson, May 25, 2005.

  1. I have a public web server that runs behind a firewall at a hosting
    facility. We own and control the server. I need to make occasional updates
    and changes to data stored in SQL and am unable to establish any type of VNP
    or SSL connection to the server due to hardware restrictions at this time.

    I would like to make these updates using Web Services. I understand how to
    embed a username / password in a SOAP header, but it would seem to me that
    an attacker could simply replicate the username / password since I am unable
    to use SSL at this time. Or is there another approach to encrypting these?
    (Read on.)

    If I encrypt the username password using a .NET cryptographic provider,
    couldn't an attacker simply use the encrypted username / password?

    How about adding a time component to the encoded username / password data
    structure such as DateTime.Now.Ticks? This would make every username /
    password unique. In addition, I could test the uuencoded time factor to get
    an age on the username / password. If the absolute age of the time factor is
    older than about 500 (1000?) milliseconds, I would assume it is invalid.

    I have tight control over both the web server and my client updating
    machine. I would use the same symmetric encryption key on both machines and
    would have to insure that the clocks on both machines are synchronized to
    one another within a small error factor.

    The actual data that I am transferring is really not sensitive and it does
    not need to be encrypted; I just need to insure that only I am able to make
    updates to via the web services.

    Seem like a reasonable approach?
    Andrew Robinson, May 25, 2005
    1. Advertising

  2. Andrew Robinson

    [MSFT] Guest

    [MSFT], May 26, 2005
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Bob the coder

    How I get my WebService to handle url encoded parameters

    Bob the coder, Nov 25, 2003, in forum: ASP .Net Web Services
    Bob the Coder
    Nov 27, 2003
  2. Pokkie
    Keenan Newton
    May 6, 2005
  3. Peter van der veen

    How to add SOAP header to a SOAP message?

    Peter van der veen, Nov 8, 2006, in forum: ASP .Net Web Services
    J. Dudgeon
    Nov 14, 2006
  4. imonline
    Dec 1, 2006
  5. Hung Nguyen
    Hung Nguyen
    Nov 8, 2007

Share This Page